System and method for providing and using a vlan-aware storage device

ABSTRACT

The present invention provides secure IP protocol capable storage devices using Virtual Local Area Network (VLAN) techniques. Specific embodiments of the present invention provide techniques for securing VLAN aware storage devices, and the like. In specific embodiments, techniques according to the present invention can provide Internet data centers that are responsible for keeping their customer&#39;s computers and storages safe and secure with the capability to strictly separate LAN access for different customers using VLAN (virtual LAN) technology.

BACKGROUND OF THE INVENTION

The present invention relates generally to techniques for securingnetworked storage devices, and in particular to techniques for enhancingsecurity of IP networked storage devices.

Conventionally, many of today's storage devices such as Redundant Arrayof Independent Disks (RAID) are connected to servers through FibreChannel networks. As Internet Protocol (IP) based technology becomes ade facto standard in the networking area, storage devices are tending tobecome more IP capable.

While certain advantages are perceived, opportunities for furtherimprovement exist. For example, he more familiar IP-based storagetechnology becomes, the greater is the security risk of storage access.Though IP storage access protocol has its own security measures, it isdesirable to have more stringent security management featuresincorporated into the storage device itself. Accordingly, a need forgreater security than that provided by conventional mechanisms usedtoday presents itself.

What is needed are improved security techniques for network basedstorage devices.

SUMMARY OF THE INVENTION

The present invention provides secure IP protocol capable storagedevices using Virtual Local Area Network (VLAN) techniques. Specificembodiments of the present invention provide techniques for securingVLAN aware storage devices, and the like. In specific embodiments,techniques according to the present invention can provide Internet datacenters that are responsible for keeping their customer's computers andstorages safe and secure with the capability to strictly separate LANaccess for different customers using VLAN (virtual LAN) technology.

In a representative embodiment, a storage apparatus is provided. Thestorage apparatus comprises a processor; a memory; at least one of aplurality of storage devices. A storage controller is coupled with theat least one of a plurality of storage devices. A network interfaceconnectable to a virtual local area network (VLAN) switch providesconnectivity. The processor is at least intermittently coupled with thememory, the storage controller and the network interface. The memory isoperable to store configuration information, including a correspondencebetween at least one of a plurality of segments of a virtual local areanetwork (VLAN) connectable by the network interface and at least one ofa plurality of virtual volumes of the at least one of a plurality ofstorage devices. The processor, the memory, the storage controller andthe network interface are operable to control a virtual local areanetwork (VLAN) switch to map the at least one of a plurality of segmentsof a virtual local area network (VLAN) connectable by the networkinterface to the at least one of a plurality of virtual volumes of theat least one of a plurality of storage devices based upon theconfiguration information. For example, a server of customer A belongsto VLAN segment 1 and a server of customer B to VLAN segment 2. In thiscase, customer access may be confined to their own server.

In specific embodiments, the apparatus can further comprise an out ofband management interface connectable to a second network. Further, insome specific embodiments, the network interface can be connectable to avirtual local area network (VLAN) switch comprises an interface to aVLAN trunk line. In such specific embodiments, the information carriedby the VLAN trunk line is identified using an embedded tag, for example.

In specific embodiments, the network interface connectable to a virtuallocal area network (VLAN) switch comprises an interface to a VLANswitch, the VLAN switch connectable to at least one of a plurality ofhost computers via at least one of a plurality of VLAN access links. Insuch specific embodiments, the information carried by the at least oneof a plurality of VLAN access links comprises untagged frames. Theinformation carried by the at least one of a plurality of VLAN accesslinks may be identified using a VLAN Identifier of a receiving port, forexample. The information carried by the at least one of a plurality ofVLAN access links may be identified using a Media Access Control (MAC)address, or the like, in some embodiments. In specific embodiments, theuntagged frame comprises a preamble field; a source MAC field; adestination MAC field; a type field; a data field; and a CRC field.

In a representative embodiment, a method is provided. The methodcomprises separating logically a local area network into a plurality ofvirtual local area networks, including a first virtual local areanetwork and a second virtual local area network. Separating logically astorage device into a plurality of virtual volumes, including a firstvirtual volume and a second virtual volume is also part of the method.Further, the method includes mapping the first virtual local areanetwork to the first virtual volume and the second virtual local areanetwork to the second virtual volume to form a configuration and routinginformation from the first virtual local area network to the firstvirtual volume and the second virtual local area network to the secondvirtual volume based upon the configuration.

In specific embodiments, the method can further comprise one or more ofconfiguring network parameters; configuring a new file system;configuring a designated file system; and deleting a designated filesystem. Further, in specific embodiments, the method can also includeone or more of updating a management interface IP address; updating aphysical network interface IP address; updating a VLAN interface IPaddress and a VLAN tag; deleting a designated VLAN interface; and addinga new VLAN interface. In further specific embodiments, the method alsocomprises at least one of adding a VLAN to a file system; removing aVLAN from the file system; adding a volume to the file system; andremoving a volume from the file system. In yet further embodiments,authenticating user authority can be part of the method.

In another representative embodiment, a computer program product isprovided. The computer program product comprises a computer readablestorage medium that contains code for sending and receiving taggedframes to and from a network interface; code for managing a file system;and code for managing a virtual volume within the file system. Code forcontrolling data transfer between the network interface and a storagecontroller of the file system and code for routing information from avirtual local area network to a virtual volume in the file system basedupon a configuration can also be stored on the computer readable storagemedium.

In specific embodiments, the computer program product further comprisesat least one of code for receiving configuration information for thefile system; code for receiving configuration information for thevirtual volume; and code for receiving configuration information for thevirtual local area network. Further, in specific embodiments, thecomputer program product further comprises at least one of code forupdating configuration information for the file system; code forupdating configuration information for the virtual volume; and code forupdating configuration information for the virtual local area network.

In a representative embodiment, a computer apparatus is provided. Thecomputer apparatus comprises a means for processing information and ameans for connecting to a virtual local area network (VLAN) switch. Themeans for processing and the means for connecting to a virtual localarea network (VLAN) switch are connectable to an external storage devicehaving at least one of a plurality of volumes mapped to at least one ofa plurality of segments of a virtual local area network (VLAN) basedupon configuration information.

In a representative embodiment, a storage apparatus is provided. Thestorage apparatus comprises a means for processing information; a meansfor storing data; a means for controlling storing of data; and a meansfor connecting to a virtual local area network (VLAN) switch. The meansfor processing, the means for controlling storing of information and themeans for connecting to a virtual local area network (VLAN) switch mapat least one of a plurality of segments of a virtual local area network(VLAN) to at least one of a plurality of virtual volumes of the meansfor storage data based upon configuration information.

In a representative embodiment, a system is provided. The systemcomprises a storage device. A virtual local area network (VLAN) switchis coupled to the storage device. The system also includes at least oneof a plurality of devices coupled to the virtual local area network(VLAN) switch via at least one of a plurality of virtual local areanetworks. The storage device is operable to control the virtual localarea network (VLAN) switch to map at least one of a plurality ofsegments of at least one of a plurality of virtual local area networksto at least one of a plurality of virtual volumes of at least one of aplurality of storage devices based upon configuration information.

In a representative embodiment, a method of controlling accesses fromservers at a disk subsystem is provided. The method is especially usefulin conjunction with a disk subsystem that is connected to a virtuallocal area network (VLAN) switch via a VLAN trunk and receives accessrequests from the servers via the VLAN switch and the VLAN trunk. Themethod comprises the steps of allocating storage resource to each VLANsegment and receiving an Internet Protocol (IP) packet based access froma server. Determining a VLAN segment that the server belongs to, basedon a VLAN identification in the IP packet, and permitting the server toaccess the storage resource allocated to the VLAN segment that theserver belongs to are also part of the method.

In a representative embodiment, a method is provided. The methodcomprises separating a virtual LAN into a plurality of segments; mappingeach one of the plurality of segments to a storage device; and assigningat least one of a plurality of virtual volumes to each one of theplurality of segments.

Numerous benefits are achieved by way of the present invention overconventional techniques. In specific embodiments of the presentinvention, a VLAN aware network interface and its management functionscan be incorporated into storage devices. Specific embodiments accordingto the present invention provide enhanced security for VLAN aware IPnetworked storage devices. Using specific embodiments according to thepresent invention, storage device users can have not only IP-basedstorage access protocol (iSCSI and iSNS), but also VLAN-based accesssecurity.

These and other benefits are described throughout the presentspecification. A further understanding of the nature and advantages ofthe invention herein may be realized by reference to the remainingportions of the specification and the attached drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates two frame formats in a specific embodiment accordingto the present invention.

FIG. 2 illustrates the system configuration of the storage device withVLAN support in a specific embodiment according to the presentinvention.

FIG. 3 illustrates the VLAN configuration table of a VLAN switch in aspecific embodiment according to the present invention.

FIG. 4 illustrates a representative storage device operable to storeinformation in specific embodiments according to the present invention.

FIG. 5 illustrates representative software modules operable to controlfunctioning of the storage device in a specific embodiment according tothe present invention.

FIG. 6 illustrates a network interface configuration table in a specificembodiment according to the present invention.

FIG. 7 illustrates a file system configuration table in a specificembodiment according to the present invention.

FIG. 8 illustrates a system configuration window in a specificembodiment according to the present invention.

FIG. 9 illustrates a network configuration window in a specificembodiment according to the present invention.

FIG. 10 illustrates a file system configuration window in a specificembodiment according to the present invention.

FIG. 11 illustrates a flowchart of processing of system configurationwindow in a specific embodiment according to the present invention.

FIG. 12 illustrates a flowchart of processing of network configurationwindow in a specific embodiment according to the present invention.

FIG. 13 illustrates a flowchart of processing of file systemconfiguration window in a specific embodiment according to the presentinvention.

FIG. 14 illustrates a flowchart of processing of request received fromthe network in a specific embodiment according to the present invention.

FIG. 15 shows the protocol stack of the storage device in a specificembodiment according to the present invention.

FIG. 16 shows a flowchart of processing of incoming data frames in aspecific embodiment according to the present invention.

DESCRIPTION OF THE SPECIFIC EMBODIMENTS

The present invention provides secure IP protocol capable storagedevices, systems and methods using Virtual Local Area Network (VLAN)techniques. Specific embodiments of the present invention providetechniques for securing VLAN aware storage devices, and the like. Unlikeconventional storage devices that are used in conjunction with FibreChannel networks that do not support VLAN technology, embodiments of thepresent invention may be used with IP networks and IP based storageaccess protocols.

IP-based storage access protocol is now being discussed in InternetEngineering Task Force (IETF), the standardization organization in IPnetwork technology. For example, the IETF is developing an IP basedstorage access protocol called iSCSI. The Small Computer SystemInterface (SCSI) is an established storage access protocol and iSCSI isa kind of tunneling protocol that makes it possible to transmit SCSIprotocol packet over IP network. The protocol called iSCSI (“iSCSI,”http://www.ietf.org/internet-drafts/draft-ietf-ips-iscsi-07.txt) is ablock transfer protocol in IP network.

Access control in IP-based storage networks can be enabled using variousaccess security mechanisms such as IPsec protocol (“SecurityArchitecture for the Internet Protocol,” RFC 2401) and iSNS (“iSNSInternet Storage Name Service,”http://www.ieff.org/internet-drafts/draft--ieff-ips-isns-04.txt). Inspecific embodiments, the present invention can provide enhancedfunctionality for IP-based storage access technologies using VLANtechnology.

Although the present invention will be described herein using referencesto specific embodiments employing VLAN, a general concept to enablemultiple logical networks in a single physical LAN segment, a variety ofother techniques can also be used in various specific embodiments. Forexample, many existing networks use a standard technology called IEEE802.1 q (“IEEE Standards for Local and Metropolitan Area NetworksVirtual Bridged Local Area Networks,” IEEE, ISBN-0738115371 orhttp://standards.ieee.org/reading/ieee/std/lanman/802.-1Q-1998.pd).These and other types of networking standards may be used in the manyand varying specific embodiments according to the present invention, aswill be readily apparent to those skilled in the art.

Overview

IP-based storage access protocol has its own security mechanism in it.However, in highly secure networks, additional security measure shouldbe taken to eliminate the possibility of illegal data access fromunauthorized LAN segment.

Specific embodiments according to the present invention address thisproblem by adding VLAN capabilities to storage devices. The storagedevices described herein can send and receive VLAN aware frames (orpackets) and process these frames properly according to the managementconfigurations. For example, as illustrated herein below with respect toFIGS. 6 and 7, a VLAN segment may be mapped to virtual storage volumesthat are allowed to the VLAN segment. File systems can also be mapped toa VLAN. A server that belongs to a certain VLAN can have access to thefile system and the virtual storage volumes that are allowed to theusers of the VLAN only.

Note that, while the present invention is described generally withreference to specific embodiments that include Network Attached Storage(NAS) like storage devices, the present invention is not limited to suchembodiments. Techniques according to the present invention can alsoprovide specific embodiments having ordinary storage devices without NAScapabilities, such as storage devices within a RAID or using file systemsoftware, for example.

VLAN Technology

VLAN is a technology that enables more than one subnetwork (or broadcastdomains) to coexist in a single LAN segment.

In a conventional LAN, there is only one subnetwork (or broadcastdomain) in a certain LAN segment. In this configuration, each endstation connected to the LAN segment can transmit and receive dataframes to and from the LAN. This means that there is no means to keep acertain end station from communicating with another end station on theLAN segment.

VLAN technology makes it possible to split a LAN segment into severalvirtual LAN segments. An End station that belongs to a certain VLANsegment does not communicate with another end station that belongs to adifferent VLAN segment.

VLAN Type

There are several VLAN types, which may be classified according to thecriteria that determine membership of end stations to VLAN segments. Thefollowing are two typical VLAN types.

1. Port-Based VLAN

A VLAN switch can assign a VLAN ID to end stations that are connected toa certain switch port. This is called port-based VLAN.

2. Address-Based VLAN

A VLAN switch can assign a VLAN ID to end stations that have adesignated MAC (Media Access Control) address. This is calledaddress-based VLAN.

Frame Format

In a representative VLAN network, there can be two types of frameformats. FIG. 1 illustrates two frame formats in a specific embodimentaccording to the present invention. In FIG. 1, two frame formats,untagged frames and tagged frames, are depicted.

1. Untagged Frame

Untagged frames are used on links other than VLAN trunks. Many existingend stations such as servers, PCs and network hubs are not VLAN-awareand cannot recognize tagged frames. VLAN membership of untagged framesis determined by VLAN ID of a receiving switch port (port-based VLAN) orMAC address of the frame (address-based VLAN).

An untagged frame 100 contains the following fields. “Preamble” is afield to enable the detection of a frame by a receiving end stations.“Source MAC” field contains a MAC address of the end station that sendsthis frame. “Destination MAC” field contains a MAC address of the endstation that receives this frame. “Type” field describes the type ofthis frame. “Data” field is filled with the upper layer protocols suchas Internet protocol. “CRC” field is used for error detection.

2. Tagged Frame

Tagged frames are used on a VLAN trunk link. End stations connected toVLAN trunk are VLAN-aware and can extract VLAN ID information embeddedin the frames. In addition to the other fields contained in an untaggedframe, tagged frame 110 contains a field 120 called “tag header,” whichcontains VLAN ID information.

The storage device described in specific embodiments according to thepresent invention is VLAN-aware; it can send and receive tagged VLANframes.

System Configuration

FIG. 2 illustrates the system configuration of the storage device withVLAN support in a specific embodiment according to the presentinvention. Storage device 200 has a network interface connected to VLANtrunk 210, which leads to a switch port of VLAN switch 220. The storagedevice has another network interface connected to the management network270. Within the storage device 200, there are several file systems andstorage volumes.

VLAN switch 220 has several switch ports. Port number 8 is a VLAN trunkand tagged frames are transmitted to and from this port. Other switchports from number 1 to number 7 are access links 240. Untagged framesare transmitted to and from these ports.

Servers S-1 (261), S-2 (262) and S-3 (263) belong to VLAN #1 (251).Servers S-4 (264) and S-5 (265) belong to VLAN #2 (252). Servers S-6(266) and S-7 (267) belong to VLAN #3 (253).

FIG. 3 illustrates the VLAN configuration table of a VLAN switch in aspecific embodiment according to the present invention. The VLANconfiguration table illustrated by FIG. 3 can be configuration table 300of VLAN switch 220, for example. Port-based VLAN is used in thisembodiment. The table 300 is used to store VLAN configurationinformation of the VLAN switch 220.

The table 300 comprises a plurality of fields. “Port No” identifies theport number of the VLAN switch. “VLAN trunk” tells if the switch port isVLAN trunk link or not. “VLAN ID (Tag)” is a VLAN ID that is associatedwith the packets received on the switch port. “Other switch portattributes” contains miscellaneous configuration parameters of theswitch port.

Hardware Configuration

FIG. 4 illustrates a representative storage device operable to storeinformation in specific embodiments according to the present invention.Storage device 200 comprises of the following hardware components.

CPU 410 executes various programs stored in main memory 420, which holdsprograms and data used to implement functions and processes in accordwith the present invention. Secondary memory 430 stores programs anddata in persistent memory devices such as hard disks and flash memories.CPU 410 loads those programs and data stored in secondary memory 430into main memory 420. Network interface 440 connects to the networklink, which in turn connects to VLAN switch 220. Out-of-band managementinterface 450 connects to management network 270.

CPU 410, main memory 420, secondary memory 430, network interface 440and out-of-band management interface 450 are connected throughcontroller bus 480.

Storage device 200 comprises one or more storage volumes 470. Thosestorage volumes are connected to storage controller 460 via storage bus490. Storage controller 460 is also connected to controller bus 480. Thecommunication between components that are connected to controller bus480 and storage bus 490 is accomplished through storage controller 460.

Software Configuration

Software Modules

FIG. 5 illustrates the software modules operable to control functioningof the storage device in a specific embodiment according to the presentinvention. The software modules illustrated in FIG. 5 can be operativelydisposed in main memory 420 of storage device 200, for example.

Network interface device driver 580 sends and receives tagged frames toand from network interface 240. The device driver 580 also sends andreceives untagged frames to and from out-of-band management interface450.

There are as many VLAN virtual interfaces 570 as configured by theoperator. Each VLAN interface is assigned a certain VLAN ID and isresponsible for processing of those frames that belong to the VLAN ID.There are as many file server modules 560 as configured by the operator.Each file server module manages a different file system. There are asmany virtual volume managers 550 as configured by the operator. Astorage access device driver 510 is responsible for data transferbetween virtual volume managers 550 and storage controller 460.

An operator GUI module 500 is a user interface program that systemoperators use to manage the storage device 200. Through this GUI module500, operators can communicate with storage management module 520, filesystems management module 530 and network management module 540. Storagemanagement module 520 is responsible for the configuration andmanagement of virtual volume managers 550. File system management module530 is responsible for the configuration and management of file servermodules 560. A network management module 540 is responsible forconfiguration and management of VLAN virtual interfaces 570.

Data Management

The configuration information of the storage device 200 is stored inseveral data tables that are located in main memory 420.

1. Network Interface Configuration Table

FIG. 6 illustrates a network interface configuration table in a specificembodiment according to the present invention. The network interfacetable 600 is used to manage both physical and virtual network interfacesequipped on the storage device 200. Physical interfaces correspond tothe hardware of the network interface (network interface 440 and out-ofband management interface are both physical network interfaces). On theother hand, virtual network interfaces correspond to the VLAN segment,which is actually bind to a certain physical network interface. In theexample shown in FIG. 6, three virtual interfaces, “vlan1,” “vlan2” and“vlan3,” correspond to the physical network interface exp0.

The network interface table 600 comprises a plurality of fields.“Interface number” is a sequence number to manage the network interfaceconfiguration information. “Interface name” is an alphanumeric nameassigned to the network interface for human readability. “Physicalinterface name” is the name of the physical interface that is related tothis network interface. “VLAN ID” is only valid for the virtual networkinterface and shows the VLAN ID or tag for that VLAN. “IP Address” is anIP address that is assigned to the network interface. “Maximumthroughput” is the parameter to specify the maximum throughput allowedto this network interface. “Management” is a flag that tells if thisnetwork interface is used for system management purpose or not.

2. File System Configuration Table

FIG. 7 illustrates a file system configuration table in a specificembodiment according to the present invention. The file systemconfiguration table 700 is used to manage all the file systems in thestorage device 200. The storage device of specific embodiments accordingto the present invention can have more than one file systems and is veryflexible because mapping between VLAN interfaces and file systems can beeasily defined and changed using this configuration table.

The file system configuration table 700 comprises a plurality of fields.“Interface number” is a sequence number to manage the file systemconfiguration information. “File server module” is a unique number thatidentifies the file server module or program. “Allowed interfaces” arethe network interfaces that are allowed to connect to this file system.“Allowed volumes” are the virtual volumes that are allowed to connect tothis file system.

User Interfaces

System Configuration Window

FIG. 8 illustrates a system configuration window in a specificembodiment according to the present invention. The operator of thestorage device 200 uses this window to configure the basic informationthat is needed to manage the storage device 200. An operator can assignIP address to this device, add or delete file systems and change themapping between VLAN and virtual volumes using the system configurationwindow. Clicking on “configure” button 810 brings up a networkconfiguration window 900 shown in FIG. 9. Clicking on “configure” button820 brings up a file system configuration window 1000 shown in FIG. 10.

Network Configuration Window

FIG. 9 illustrates a network configuration window in a specificembodiment according to the present invention. In this window, theoperator can configure network information such as IP address andthroughput assigned to the interface. Both network interface 440 andmanagement interface 450 can be configured using this window.

In the example shown in FIG. 9, the management interface “exp1” isassigned an IP address 192.168.1.1, with subnet mask 24 and thethroughput allowed for the management interface is 10 Mbps. There is onenetwork interface “exp0” and it is assigned an IP address 10.0.4.1, withsubnet mask 24 and through put 100 Mbps. The interface “exp0” belongs tothree VLANs, “vlan1,” “vlan2” and “vlan3.” Each VLAN is assigned its ownIP address, VLAN ID (tag) and throughput.

File System Configuration Window

FIG. 10 illustrates a file system configuration window in a specificembodiment according to the present invention. In this window, theoperator can configure file system information such as connected VLANsand connected storage volumes. In the example shown in FIG. 10, the filesystem #1 is connected to the VLAN “vlan2” and allowed to use storagevolume “vol4.”

Processing Flows

Flowchart of System Configuration

FIG. 11 illustrates a flowchart of processing of system configurationwindow in a specific embodiment according to the present invention. Whenthe operator GUI module 500 receives a command from the operator toactivate the system configuration window, the GUI module 500 displaysthe system configuration window 800 (step 1100). The module 500 tests ifthe requested operation is network configuration (step 1105). If therequested operation is network configuration, the module shows a networkconfiguration window 900 (step 1110). Then, the module 500 tests if therequested operation is “add new file system” (step 1115). If therequested operation is “add new file system,” the module shows filesystem configuration window 1000 (step 1120). Otherwise, the moduletests if the requested operation is “configure file system” (step 1125).If the requested operation is “configure file system,” the module showsfile system configuration window 1000 (step 1130). Otherwise, the moduletests if the requested operation is “delete file system” (step 1135). Ifthe requested operation is “delete file system,” the module deletes thefile system (step 1140). If any configuration change occurs, theoperator GUI module displays the updated configuration information (step1145). The above processing is repeated until the operator requests toclose the system configuration window (step 1150).

Flowchart of Network Configuration

FIG. 12 illustrates a flowchart of processing of network configurationwindow in a specific embodiment according to the present invention. Whenoperator GUI module 500 receives a command from the operator to activatethe network configuration window, the module display the networkconfiguration window 900 (step 1200). The module 500 tests if therequested operation is “update management interface” (step 1205). If therequested operation is “update management interface,” the module 500updates the IP address of the management interface (step 1210).Otherwise, the module 500 tests if the requested operation is “updateLAN” (step 1215). If the requested operation is “update LAN,” the module500 updates the IP address of the physical network interface (step1220). Otherwise, the module tests if the requested operation is “updateVLAN” (step 1225). If the requested operation is “update VLAN,” themodule update the IP address and VLAN tab information of the VLANinterface (step 1230). Otherwise, the module tests if the requestedoperation is “delete VLAN” (step 1235). If the requested operation is“delete VLAN,” the module deletes the designated VLAN interface (step1240). Otherwise, the module tests if the requested operation is “addVLAN” (step 1245). If the requested operation is “add VLAN,” the module500 adds new VLAN interface (step 1250).

If any network configuration change occurs, the operator GUI module 500invokes network management module to update the network interfaceconfiguration table (step 1255) and display the updated networkconfiguration information (step 1260). The above processing is repeateduntil the operator requests to close the system configuration window(step 1265).

Flowchart of File System Configuration

FIG. 13 illustrates a flowchart of processing of file systemconfiguration window in a specific embodiment according to the presentinvention. When operator GUI module 500 receives a command from theoperator to activate the file system configuration window, the GUImodule 500 displays the network configuration window 1000 (step 1300).The module 500 tests if the requested operation is “add VLAN” (step1305). If the requested operation is “add VLAN,” the module 500 invokesthe file system management module to add the designated VLAN to thedesignated file system (step 1310). Otherwise, the module tests if therequested operation is “remove VLAN” (step 1315). If the requestedoperation is “remove VLAN,” the module 500 invokes the file systemmanagement module to remove the designated VLAN from the designated filesystem (step 1320). Otherwise, the module 500 tests if the requestedoperation is “add volume” (step 1325). If the requested operation is“add volume,” the module 500 invokes the file system management moduleto add the designated volume to the designated file system (step 1330).Otherwise, the module 500 tests if the requested operation is “removevolume” (step 1335). If the requested operation is “remove volume,” themodule 500 invokes the file system management module to remove thedesignated volume from the designated file system (step 1340).

If any file system configuration change occurs, the operator GUI module500 invokes file system management module to update the file systemconfiguration table (step 1345) and display the updated file systemconfiguration information (step 1350). The above processing is repeateduntil the operator requests to close the system configuration window(step 1355).

Flowchart of Request Processing

FIG. 14 illustrates a flowchart of processing of request received fromthe network in a specific embodiment according to the present invention.When the file server module 560 receives a request from a certain VLANinterface 570 (step 1400), it then retrieves the user name from therequest (step 1405). The file server module 560 tests if the requestcomes from the authenticated user for the file system (step 1410). Ifthe user has not been authenticated, file server module 560 asks theuser for a password (step 1415) and looks in the account database ofthis file system for the received password (step 1420). File servermodule 560 tests if valid user information was found in the database(step 1425). If valid user information was found, the file server module560 processes the received request properly (step 1430). If valid userinformation was not found, the file server module denies the request(step 1435).

The storage device of specific embodiments according to the presentinvention can have more than one file server modules 560. Each fileserver module 560 processes requests that are received from thedesignated VLAN only. As a result, the storage device of specificembodiments according to the present invention is enhanced with tightersecurity than conventional storage devices with no VLAN support.

FIG. 15 shows the protocol stack of the storage device in a specificembodiment according to the present invention. The bottom of the stackis the physical layer 1540, which is responsible for physical input andoutput of data frames. The data link layer 1530 is responsible for theprocessing of data frames. VLAN-related processing, such as VLANmembership identification is done within this layer in specificembodiments. Network layer 1520 is responsible for the processing ofnetwork protocol such as IP. File or block protocol layer 1510 handlesthe storage-specific requests. Such requests are file level ones for NAStype of devices and block level ones for iSCSI type of devices, forexample. The top layer is the application layer or file systems 1500.This layer is responsible for the processing of application logic,which, in this case, is file input and output.

FIG. 16 shows a flowchart of processing of incoming data frames in aspecific embodiment according to the present invention. The incomingdata frame sent from one of servers is received by the network interface440 (step 1600). Because the network interface 440 is connected to theVLAN trunk link 210, the incoming data frame is tagged frame 110 withVLAN tag header 120. Therefore, the network interface device driver 550extracts the VLAN tag out of the received data frame (step 1610). Then,the network interface device driver 580 performs lookups in the networkinterface configuration table 600 attempting to find an entry, or VLANcorresponding to the extracted tag information (step 1620). The devicedriver 580 checks if the lookup results is in one of the configured VLANentries in network interface configuration table 600 (step 1630). If thecorresponding VLAN entry for the incoming data frame is found, the dataframe is forwarded to the corresponding VLAN virtual interfaces 570(step 1640). If the corresponding VLAN entry for the incoming data frameis not found, the data frame is discarded (step 1650).

In IP-based storage systems, access security is provided using segmentseparation technology such as VLAN. By supporting capabilities toidentify incoming packets on a per VLAN basis, storage devices provideusers with additional security features.

The storage device with VLAN support can restrict the access to the filesystem and storage volumes according to the VLAN membership of therequesting users. If a user belongs to VLAN A, the user can use thosefile systems and storage volumes that are assigned to VLAN Aexclusively. In addition to the separation based on VLAN membership,regular security measures defined by IP-based storage access protocolcan also be enforced within each VLAN segment. In this sense, VLANsupport is considered to provide additional security features to thestorage devices.

The preceding has been a description of the preferred embodiment of theinvention. It will be appreciated that deviations and modifications canbe made without departing from the scope of the invention, which isdefined by the appended claims.

1. A storage apparatus comprising: a network interface connectable to alocal area network separated logically into a plurality of virtual localarea networks, including a first virtual local area network and a secondvirtual local area network; a storage system operable to provide storageresources for storing user data over the local area network to at leastone network entity, the storage system separated logically into aplurality of virtual volumes, including a first virtual volume and asecond virtual volume; at least one file system, the at least one filesystem being used by a computer different from the storage system tostore data in the storage system, each file system being managed by eachof a plurality of file server modules; a memory storing a configurationcomprising a mapping of the plurality of virtual local area networks tothe at least one file system and a mapping of the plurality of virtualvolumes to the at least one file system; and a controller operable toroute information from a network entity associated with one of theplurality of virtual local area networks to the plurality of virtualvolumes and prevent communication from a second network entity notassociated with the plurality of virtual local area networks to theplurality of virtual volumes based upon the configuration.
 2. Theapparatus of claim 1, further comprising an out of band managementinterface connectable to a second network.
 3. The apparatus of claim 1,wherein the network interface connectable to the virtual local areanetworks comprises an interface to a VLAN trunk line.
 4. The apparatusof claim 3, wherein information carried by the VLAN trunk line isidentified using an embedded tag.
 5. The apparatus of claim 1, whereinthe network interface connectable to the virtual local area networkscomprises an interface to a VLAN switch, the VLAN switch connectable toat least one host computer via at least one VLAN access link.
 6. Theapparatus of claim 5, wherein information carried by the at least oneVLAN access link comprises untagged frames.
 7. The apparatus of claim 6,wherein information carried by the at least one VLAN access link isidentified using a VLAN Identifier of a receiving port.
 8. The apparatusof claim 6, wherein information carried by the at least one VLAN accesslink is identified using a Media Access Control (MAC) address.
 9. Theapparatus of claim 6, wherein an untagged frame comprises: a preamblefield; a source MAC field; a destination MAC field; a type field; a datafield; and a CRC field.
 10. The storage apparatus of claim 1, whereinthe file system comprises a file.
 11. A method, comprising: separatinglogically a local area network into a plurality of virtual local areanetworks, including a first virtual local area network and a secondvirtual local area network; separating logically a storage systemoperable to provide storage resources for storing user data over thelocal area network to at least one network entity into a plurality ofvirtual volumes, including a first virtual volume and a second virtualvolume; establishing at least one file system, the at least one filesystem being used by a computer different from the storage system tostore data in the storage system, each file system being managed by eachof a plurality of file server modules; managing a configurationcomprising a mapping of the plurality of virtual local area networks tothe at least one file system and a mapping of the plurality of virtualvolumes to the at least one file system; and routing information from anetwork entity associated with one of the plurality of virtual localarea networks to the plurality of virtual volumes and preventingcommunication from a second network entity not associated with theplurality of virtual local area networks to the plurality of virtualvolumes based upon the configuration.
 12. The method of claim 11,further comprising at least one of: configuring network parameters;configuring a new file system; configuring a designated file system; anddeleting a designated file system.
 13. The method of claim 11, furthercomprising at least one of: updating a management interface IP address;updating a physical network interface IP address; updating a VLANinterface IP address and a VLAN tag; deleting a designated VLANinterface; and adding a new VLAN interface.
 14. The method of claim 11,further comprising at least one of: adding a VLAN to a file system;removing a VLAN from the file system; adding a volume to the filesystem; and removing a volume from the file system.
 15. The method ofclaim 11, further comprising: authenticating user authority.
 16. Themethod of claim 11, wherein the file system comprises a file.
 17. Acomputer program product embodied in a computer-readable medium,comprising: code for separating logically a local area network into aplurality of virtual local area networks, including a first virtuallocal area network and a second virtual local area network; code forseparating logically a storage system operable to provide storageresources for storing user data over the local area network to at leastone network entity into a plurality of virtual volumes, including afirst virtual volume and a second virtual volume; code for establishingat least one file system, the at least one file system being used by acomputer different from the storage system to store data in the storagesystem, each file system being managed by each of a plurality of fileserver modules; code for managing a configuration comprising a mappingof the plurality of virtual local area networks to the at least one filesystem and a mapping of the plurality of virtual volumes to the at leastone file system; and code for routing information from a network entityassociated with one of the plurality of virtual local area networks tothe plurality of virtual volumes and preventing communication from asecond network entity not associated with the plurality of virtual localarea networks to the plurality of virtual volumes based upon theconfiguration.
 18. The computer program product of claim 17, furthercomprising at least one of: code for receiving configuration informationfor the file system; code for receiving configuration information forthe virtual volume; and code for receiving configuration information fora virtual local area network segment.
 19. The computer program productof claim 18, further comprising at least one of: code for updatingconfiguration information for the file system; code for updatingconfiguration information for the virtual volume; and code for updatingconfiguration information for the virtual local area network segment.20. The computer program product of claim 17, wherein the file systemcomprises a file.
 21. A method, comprising: separating a virtual LANinto a plurality of segments; managing a mapping of the plurality ofsegments to at least one file system, the at least one file system beingused by a computer different from a storage system to store data in thestorage system, each file system being managed by each of a plurality offile server modules, and mapping of a plurality of storage systemoperable to provide storage resources for storing user data over anetwork to at least one network entity to the file system; assigning aplurality of virtual volumes to the file system and assigning aplurality of segments to the file system; and controlling access to theplurality of virtual volumes, such that the plurality of virtual volumeswill communicate only with the plurality of segments within the samefile system.
 22. The method of claim 21, wherein the file systemcomprises a file.
 23. A storage system comprising: a network interfaceconnectable to a virtual LAN separated into a plurality of segments; atleast one file system, the at least one file system being used by acomputer different from the storage system to store data in the storagesystem, each file system being managed by each of a plurality of fileserver modules; a plurality of storage systems operable to providestorage resources for storing user data over a network to at least onenetwork entity using the file system; and a processing module operableto: manage a mapping of the plurality of segments to the at least onefile system and mapping of the plurality of storage systems to the filesystem; assign a plurality of virtual volumes to the file system andassigning a plurality of segments to the file system; and control accessto the plurality of virtual volumes, such that the plurality of virtualvolumes will communicate only with the plurality of segments within thesame file system.